cancel
Showing results for 
Search instead for 
Did you mean: 
limeister77
Level 9

Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hello All

I am a new user here.

Let me first post the log file entry.

The Artemis alert pops up on two machines.  I have posted it here.

Machine 01

WinXP PRO XP SP2

McAfee VirusScan Enterpise Workstation

Version 8.7.0.570

DAT Version 6797

8/10/2012 9:57:00 AM Deleted  SYSTEM System:Remote C:\WINDOWS\system32\bdvsapi.c Artemis!E088D5F5DA3D (Virus)

Machine 02

WinXP PRO XP SP3

McAfee VirusScan Enterpise Workstation

Version 8.7.0.570

DAT Version 6797

8/10/2012 10:04:51 AM Deleted  TLGKR7104DO009\Linde System:Remote(192.168.1.211 (ASP2_OS_SV1)) C:\WINDOWS\system32\kyllzq.dbc Artemis!E088D5F5DA3D (Virus)

They used to have a conficker virus problem but I solved that.

No only this virus alert remains.  How to get rid of this alert on these machines?

I apologise if I omitted other necessary information to solve this issue.

Your prompt help is appreciated. 

0 Kudos
1 Solution

Accepted Solutions
limeister77
Level 9

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hello Showvik, Peacekeeper and the rest of the folks at McAfee.

Thank you for the instructions to help out with the ARTEMIS problem.

I updated the virus definitions, used the extra dat you provided and ran scans on every computer that was mentioned in the log files.

All systems are clean now.

Thank you for your patience.

Cheers

0 Kudos
31 Replies
Peacekeeper
Level 20

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Different names same detection quite possible a new virus. Why do you think it is a false detection? The file names are strange

Send both to mcafee as per

http://vil.nai.com/vil/submit-sample.aspx

Went you get a reply should be straight away reply to that saying in the subject possible false detection Artemis!E088D5F5DA3D

Say why you think it is and make sure you only send 1 per submission.

post your analysis Ids  here

0 Kudos
showvik
Level 12

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hi,

The samples mentioned here are detected as W32/Conficker.worm.gen.b with production DATs. However, for the Conficker specific cleaning to occur, please configure another full Scan with Artemis disabled.

Please refer the information available at the following links for understanding the threat vector:

<http://www.mcafee.com/threat-intelligence/malware/default.aspx?id=153710>

<http://www.mcafee.com/us/threat-center/conficker.aspx>

Machine should have all the Windows and McAfee updates installed especially the following:

<http://technet.microsoft.com/en-us/security/bulletin/ms08-067>

Regards,

Showvik

0 Kudos
limeister77
Level 9

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Dear All

Thanks for your prompt replies.

I believe it is a false positive because I have completed the following tasks. 

If I have missed a task then please let me know and I will try it.

For WinXP SP2 system.

1) Updated DAT to most recent version and ran ON DEMAND scan.  No detections found.

2) Also ran ON DEMAND scan in safe mode.  No detections found.

3) Ran stinger removal tool.  No detections found

4) Ran MS Removal Tool Windows-KB890830-V4.10.exe

4) Followed instructions in KB962007.  It is a local machine so some instructions for Group Policy did not apply.

5) Installed MS08-067 security patch & Update 967715

6) Run Windows Update except upgrading to SP3

7) No more Conficker virus message but keep getting Artemis message.

Since you have instructed me to make 1 per submission I repost what I did for other machine in thread.

0 Kudos
showvik
Level 12

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hi,

Thank you for performing the steps mentioned above. However, as stated earlier, we would like you to configure a custom On Demand Scan with Heuristics turned off and perform a full scan with this custom ODS settings. If the value after Artemis! has changed, let us know the full Artemis detection names that are observed now.

Regards,

Showvik

0 Kudos
limeister77
Level 9

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Thanks for your continued support on this issue.

I ran custom demand scan.  I have disabled Heruristics.

No change in values.  I still see a message popup on the screen

8/28/2012          10:16:47 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          10:43:53 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          10:48:46 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          10:59:40 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          11:25:15 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          11:30:08 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          11:42:20 AM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

8/28/2012          12:06:37 PM          Deleted           SYSTEM          System:Remote          C:\WINDOWS\system32\bdvsapi.c          Artemis!E088D5F5DA3D (Virus)

Please see attached results of scan I peformed today.

8/28/2012          10:09:12 AM                    Engine version                          =          5400.1158

8/28/2012          10:09:12 AM                    AntiVirus   DAT version                 =          6816.0

8/28/2012          10:09:12 AM                    Number of detection signatures in EXTRA.DAT =          None

8/28/2012          10:09:12 AM                    Names of detection signatures in EXTRA.DAT  =          None

8/28/2012          10:08:59 AM          Scan Started          ASP2_OS_CL2\LINDE          On-Demand Scan

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes scanned    : 98

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes detected   : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Processes cleaned    : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors scanned : 3

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors detected: 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Boot sectors cleaned : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files scanned        : 65171

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files with detections: 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          File detections      : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files cleaned        : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files deleted        : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Files not scanned    : 49

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary (Registry Scanning)

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys scanned         : 34738

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys detected        : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys cleaned         : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Keys deleted         : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Scan Summary (Cookie Scanning)

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies scanned      : 1

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies detected     : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies cleaned      : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Cookies deleted      : 0

8/28/2012          10:44:52 AM          Scan Summary          ASP2_OS_CL2\LINDE          Run time             : 0:35:53

8/28/2012          10:44:52 AM          Scan Complete          ASP2_OS_CL2\LINDE          On-Demand Scan

I will try with the other machine later today or tomorrow.

Thanks again.

0 Kudos
limeister77
Level 9

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hello All

Has there been any follow up on this matter?

Cheers

0 Kudos
Peacekeeper
Level 20

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Showvik needs to reply to this if he doesn't I will ask him nicely as he is busy

0 Kudos
showvik
Level 12

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Hi,

That is strange as in my test machine I see the Cnficker detection. Please refer the logs below from my test:

9/20/2012    11:51:47 PM        Engine version                          =    5400.1158

9/20/2012    11:51:47 PM        AntiVirus   DAT version                 =    6841.0

9/20/2012    11:51:47 PM        Number of detection signatures in EXTRA.DAT =    1

9/20/2012    11:51:47 PM        Names of detection signatures in EXTRA.DAT  =    None

9/20/2012    11:51:33 PM    Scan Started    BANRVARMAVM1\rvarma    On-Demand Scan

9/20/2012    11:51:50 PM    No Action Taken     rvarma    ODS    D:\xxx\20th Sep\e088d5f5da3da1f48bcf30a63d7530e1\107180052\107180052    W32/Conficker.worm.gen.b

Best here would be to submit the sample to McAfee Labs as suggessted by Tony earlier and post back the submission ID here. We will respond to that submission with a fix.

Regards,

Showvik

0 Kudos
limeister77
Level 9

Re: Possibe False Positive - Artemis! E088D5F5DA3D

Jump to solution

Thank you for your continued help in solving this issue.

There are a lot of files that are in the Quarantine folder.

Can I zip the most recent file and send to McAfee Labs as a sample?

Your prompt response will be appreciated.

Cheers

0 Kudos